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A user U sends a registration request to the 
central authority CA 
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CA generates randomly an entry in the dynamic 
authentication key table (CA_DAK [U]) and sends 
a copy of it to U, via a secure channel 
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CA starts a daemon to regenerate 
CA_DAK[U\ dynamically every 8/, and to 
maintain a number-regeneration-counter 
CA_DAK_NRC [U] 




U starts a daemon to regenerate DAK 
dynamically every 8/, and to maintain a 
number-regeneration-counter DAK NRC 
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CA receives a dynamic session key generation 
request from a user Vs to communicate with user 
Ua, along with its frozen lJs_DAK_NRC. 
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CA forks a child communication process, which 
asks t/rfto send its DAK_NRC. 



18 




Receive a snapshot copy of CA_DAK [Us] and CA_DAK [Ud] and their 
counts CA_NRC[Us] and CAJJRC[Ud ]from their corresponding 
daemon. Then, CA ahgns with Us and Ua (FIG. 5) 
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CA ignores the last synchronization 
effects of the non-authenticated 

user, sends an "ABORT" message 
to both users, and terminates its 
child process. 



CA generates a dynamic session key DSK and sends a "SESSION KEY" 
message to Us and Ud, including DSK encrypted by each user's dynamic 
authentication key {CA_pAK [t/J and CA_DAK [Ud]). The DSK along with 
the frozen/snapshot DAKs, at both user and CA nodes, are used as a new 
state, in the DAK regeneration process, by the key management daemons. 
Then, CA's child communication process terminates. 
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CA performs {UJ)AK_NRC - 
CA_DAK_NRC [U\) dynamic key 
regeneration on CA DAK [U\, in order to 
synchronize with U. 



CA sends a "SYNCHRONIZE" message to 

t/, including {CA_DAK_NRC [U]- 
U_DAK_NRC), for Uto perform dynamic 
key regeneration on its DAKy to 
synchronize with CA. 
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CA generates nonce N and sends {N, E(N)) to U, where 
E(N) is the encryption of Abusing CA_DAK[U], including 
"AUTHENTICATE" message (FIG 10). 




CA decrypt E{N^) using CA_DAK[U\ to get 
D(E(N^y) 
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Report successful 
authentication of user UhyCA. 



Report failure to 
authenticate Uhy CA. 



Resume FIG. 4 
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t/ decrypts E(N) with a4i: to get IKE(N)) 
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Successful authentication of CA by 
U. Acknowledge to CA, including 



Failure to authenticate CA 
by {/, abort connection 
establishment. 
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FIG, 6b 
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CA experiences shut-down event. 
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system experiences shut-down event. 



CA sends a "free2e-Z>i4/:-regeneratmg" 
message to all previously subscribed users. 
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IJ sends a "freeze-D^^/C-regenerating" 
message to its CA, 



CA saves all DAK% into a temporary file. 
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V saves its into a temporary file. 



CA shuts down 




CA reboots after a time t, reloads DAK% 
from temporary file, and asks all registered 
users to send DAK NRC, 



For every registered user U: 
Synchronize (CA, U), to obtain the same 
Dyi/C at their sites (FIG. 5) 



Use the same obtained DAK to authenticate 
U and CA to one another 

(FIG. 6) 



CA sends a "resume-D^/C-regenerating" 
message to the successfully synchronized 
users. Other users asked to establish a new 

registration. 
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LPs system shuts ^ 



Ifs system reboots after a time x, reloads 
DAK from temporary file, and sends its 
DAK NRC to the CA. 



Synchronize (CA, U) 
(FIG. 5) 
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Use the same obtained DAK to authenticate 
U and CA to one another 
(FIG. 6) 



In case of successful synchronization, V 

sends a "resume-D/i^-regenerating" 
message to CA, Otherwise, U establishes a 
new registration with the CA, 
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Register to C4 (FIG. 2). 
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Fork a child process to freeze DAK generation and to send session 
establishment request to the CA that includes the frozen DAK_NRC and 
the destination user's (Ud) identification. 
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Start handshaking with the CA. 
(FIG.IO) 
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Resume from Fig 10, i.e., 
handshaking is a success; receive 
initial DSK 



Using DSK as a seed, generate n dynamic session keys 
{DSKi, DSKy) each of the same size as the DSKs size. 
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Extract the next n records (Recordi, 
Record^, each of the same size as the 
DSK size. 



Encrypt data Record/ using its corresponding 
dynamic session key DSKi, resulting in a 
cipher Ciphert, for i=l,...,n. (FIG. 1 1) 
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Regenerate a new DSKi, for i=I,...,n 
(FIGS. 13a and 13b) 



Transmit the ciphers: Cipher,, 

for i=I,...,n 
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FIG. 8 
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Uj receives a request of communication with 
U, from CA. 
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Fork a child process to stop regenerating 
DAK; send the frozen DAK_NRC to CA. 
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Start handshaking with the CA, (FIG.IO) ^ 




Resume from Fig 10, i.e., 
handshaking is a success; received 
initial DSK 
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Using DSK as a seed, generate n new DSATs (DSKj, 
DSA^n) each of the same size as the DSK size. 
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Receive the cipher records: Ciphen, 
fori=ly...,n 



Decrypt cipher records Cipher i using 
corresponding DSKi, resulting in a decrypted 

record Recordu for i=l,„.,n, (FIG. 12) 



Restore the original message data by 
assembling decrypted records (Recordj, 
Recordr,) 
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Regenerate new DSKi, for i=l, ...,« 
(FIGS. 13a and 13b) 
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dynamically DAK for 
X times (FIG. 14). 
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Authenticate CA 
(FIG. 6(b)). 
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SESSION <EY(E(DSK)) 



Decrypt E{DSK) 
using DAK to obtain 
theDSA: 
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Abort Connection 
Request, and 
terminate the 
communication 
child process. 



Return the aligned DAK and the 
new DSK to the parent daemon in 
order to initialize the DAK 
regeneration state. 



Resume connection establishment 
at the user (source or destination) 
side(FIG.8 and FIG. 9) 
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